Splunk Search

not all real-time-alert emails are being sent

michal_centralw
Explorer

Hi,

I have very odd situation, all but one realtime alert are working fine. One alert which flags up the 404s works for a few minutes after splunk restart and then it stops sending emails. Neither python.log nor scheduler.log shows any sort of errors. It looks like an alert would never be triggered, however when I open the search result i can observer that search actually works.

0 Karma

alterdego
Path Finder

This doesn't seem to be the same issue you are having but I had a similar problem after upgrading to 6.1.1 where some alerts wouldn't fire. In my case it also seemed to be related to the account that owned the search.

My situation seemed to be known issue SPL-84357. The workaround was to add a session timeout line to server.conf (sessionTimeout = 30d). After making the change and restarting the alerts fired as expected.

I've included the links I found most helpful here:

http://answers.splunk.com/answers/137421/why-are-my-real-time-alerting-searches-no-longer-sending-em...

http://docs.splunk.com/Documentation/Splunk/6.1.1/ReleaseNotes/Knownissues

Hope that helps.

michal_centralw
Explorer

Unfortunately this didn't help, emails are still not being sent after some time

0 Karma

michal_centralw
Explorer

hi alterdego, I will try it out now, and maybe this is somehow related!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...